Is there a published SBOM anywhere for Elasticsearch or any other document that shares all the components/libraries used within the application? This would be helpful when investigating security vulnerabilities and determining if a specific vulnerability affects Elasticsearch.
Welcome to our community! 
I don't believe this is something we publish, nor can I find a reference for it internally. I would suggest you reach out to security@elastic.co as per Security issues | Elastic.